On 24 July 2020 the European Data Protection Board (the ‘EDPB’) released its FAQs on the judgement of the Court of Justice of the European Union in Schrems II. For our commentary on Schrems II please see here.
The judgement In Schrems surprised many people and has the potential to upset international transfers around the world and not just from the EEA to the US. Whilst some regulators (e.g. the Berlin data regulator) had in the aftermath of the judgement made sweeping statements about data transfers to the US being no longer permitted and other commentators had raised valid concerns about the width of the logic of Schrems II (e.g. it must apply to Binding Corporate Rules (‘BCRs’) too), many regulators had taken a measured tone, recognising the difficulties in the decision for business. Most notably the ICO even suggested it was ‘currently reviewing our Privacy Shield guidance after the judgement issued by the European Court of Justice on Thursday 16 July 2020’ and that ‘if you are currently using Privacy Shield please continue to do so until new guidance becomes available’ (albeit the ICO did also say ‘please do not start to use Privacy Shield during this period’).
The EDPB said on Friday 17 July 2020, the day after the judgement, that:
‘the EDPB intends to continue playing a constructive part in securing a transatlantic transfer of personal data that benefits EEA citizens and organisations and stands ready to provide the European Commission with assistance and guidance to help it build, together with the U.S., a new framework that fully complies with EU data protection law.’
Hopes were therefore high the EDPB might release practical, pragmatic and reasonable guidance in relation to Schrems, possibly even with a recognition that businesses will need time (6-12 months) to adjust to the impact of Schrems II, and possibly even confirming a moratorium on any regulatory action.
Instead the EDPBs FAQs make the following points (in very short summary and collating a number of points, please do read the FAQs for the full picture):
Essentially the EDPB has taken some strongly indicated, yet still hypothetical, conclusions from Schrems II and made them the confirmed position of all the regulators in the EU.
What do we need to do now?
As we said in our note on Schrems II (please see here), and even despite the EDPB FAQs, we do not believe there is any need to panic. Whilst the Schrems II judgement and the approach of the EDPB is very surprising, we still retain hope that most regulators will retain a sense of pragmatism and commercial reality and that this should be echoed within the halls of the European Commission.
That said controllers and processors (or indeed just any exporters and importers) need to think about the following:
– warranties that SCCs work;
– promises to implement further ‘supplementary measures’ as required (and as guidance is forthcoming);
– notification requirements from a processor/importer to the exporter if approached by a government for access to data; and
– agreement from a processor/importer to challenge any government requests